@provablehq/sdk 0.9.13 → 0.9.15-enc

package/dist/mainnet/browser.js

@@ -1,6 +1,7 @@
 import 'core-js/proposals/json-parse-with-source.js';
-import { ViewKey, ComputeKey, Address, PrivateKeyCiphertext, PrivateKey, RecordCiphertext, EncryptionToolkit, Group, Program, Plaintext, Transaction, ProvingRequest, Metadata, VerifyingKey, ProvingKey, RecordPlaintext, Field, Poseidon4, ProgramManager as ProgramManager$1, verifyFunctionExecution } from '@provablehq/wasm/mainnet.js';
+import { ViewKey, ComputeKey, Address, PrivateKeyCiphertext, PrivateKey, RecordCiphertext, EncryptionToolkit, Group, Metadata, VerifyingKey, Program, Plaintext, Transaction, ProvingRequest, ProvingKey, RecordPlaintext, Field, Poseidon4, ProgramManager as ProgramManager$1, verifyFunctionExecution } from '@provablehq/wasm/mainnet.js';
 export { Address, Authorization, BHP1024, BHP256, BHP512, BHP768, Boolean, Ciphertext, ComputeKey, EncryptionToolkit, ExecutionRequest, ExecutionResponse, Field, Execution as FunctionExecution, GraphKey, Group, I128, I16, I32, I64, I8, OfflineQuery, Pedersen128, Pedersen64, Plaintext, Poseidon2, Poseidon4, Poseidon8, PrivateKey, PrivateKeyCiphertext, Program, ProgramManager as ProgramManagerBase, ProvingKey, ProvingRequest, RecordCiphertext, RecordPlaintext, Scalar, Signature, Transaction, Transition, U128, U16, U32, U64, U8, VerifyingKey, ViewKey, getOrInitConsensusVersionTestHeights, initThreadPool, verifyFunctionExecution } from '@provablehq/wasm/mainnet.js';
+import sodium from 'libsodium-wrappers';
 import { bech32m } from '@scure/base';
 
 /**
@@ -72,6 +73,23 @@ class Account {
             throw new Error("Wrong password or invalid ciphertext");
         }
     }
+    /**
+     * Validates whether the given input is a valid Aleo address.
+     * @param {string | Uint8Array} address The address to validate, either as a string or bytes
+     * @returns {boolean} True if the address is valid, false otherwise
+     *
+     * @example
+     * import { Account } from "@provablehq/sdk/testnet.js";
+     *
+     * const isValid = Account.isValidAddress("aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px");
+     * console.log(isValid); // true
+     *
+     * const isInvalid = Account.isValidAddress("invalid_address");
+     * console.log(isInvalid); // false
+     */
+    static isValidAddress(address) {
+        return Address.isValid(address);
+    }
     /**
      * Creates a PrivateKey from the provided parameters.
      * @param {AccountParam} params The parameters containing either a private key string or a seed
@@ -466,6 +484,191 @@ async function retryWithBackoff(fn, { maxAttempts = 5, baseDelay = 100, jitter,
     throw new Error("retryWithBackoff: unreachable");
 }
 
+/** Type guard: value is a ProvingResponse. */
+function isProvingResponse(value) {
+    return (typeof value === "object" &&
+        value !== null &&
+        "transaction" in value &&
+        "broadcast_result" in value &&
+        typeof value.broadcast_result === "object");
+}
+/** Type guard: value is a ProveApiErrorBody. */
+function isProveApiErrorBody(value) {
+    return (typeof value === "object" &&
+        value !== null &&
+        "message" in value);
+}
+
+await sodium.ready;
+/**
+ * Encrypt an authorization with a libsodium cryptobox public key.
+ *
+ * @param {string} publicKey The cryptobox X25519 public key to encrypt with (encoded in RFC 4648 standard Base64).
+ * @param {Authorization} authorization the authorization to encrypt.
+ *
+ * @returns {string} the encrypted authorization in RFC 4648 standard Base64.
+ */
+function encryptAuthorization(publicKey, authorization) {
+    // Ready the cryptobox lib.
+    return encryptMessage(publicKey, authorization.toBytesLe());
+}
+/**
+ * Encrypt a ProvingRequest with a libsodium cryptobox public key.
+ *
+ * @param {string} publicKey The cryptobox X25519 public key to encrypt with (encoded in RFC 4648 standard Base64).
+ * @param {Authorization} provingRequest the ProvingRequest to encrypt.
+ *
+ * @returns {string} the encrypted ProvingRequest in RFC 4648 standard Base64.
+ */
+function encryptProvingRequest(publicKey, provingRequest) {
+    return encryptMessage(publicKey, provingRequest.toBytesLe());
+}
+/**
+ * Encrypt a view key with a libsodium cryptobox public key.
+ *
+ * @param {string} publicKey The cryptobox X25519 public key to encrypt with (encoded in RFC 4648 standard Base64).
+ * @param {ViewKey} viewKey the view key to encrypt.
+ *
+ * @returns {string} the encrypted view key in RFC 4648 standard Base64.
+ */
+function encryptViewKey(publicKey, viewKey) {
+    return encryptMessage(publicKey, viewKey.toBytesLe());
+}
+/**
+ * Encrypt a record scanner registration request.
+ *
+ * @param {string} publicKey The cryptobox X25519 public key to encrypt with (encoded in RFC 4648 standard Base64).
+ * @param {ViewKey} viewKey the view key to encrypt.
+ * @param {number} start the start height of the registration request.
+ *
+ * @returns {string} the encrypted view key in RFC 4648 standard Base64.
+ */
+function encryptRegistrationRequest(publicKey, viewKey, start) {
+    // Turn the view key into a Uint8Array.
+    const vk_bytes = viewKey.toBytesLe();
+    // Create a new array to hold the original bytes and the 4-byte start height.
+    const bytes = new Uint8Array(vk_bytes.length + 4);
+    // Copy existing bytes.
+    bytes.set(vk_bytes, 0);
+    // Write the 4-byte number in LE format at the end of the array.
+    const view = new DataView(bytes.buffer);
+    view.setUint32(vk_bytes.length, start, true);
+    // Encrypt the encoded bytes.
+    return encryptMessage(publicKey, bytes);
+}
+/**
+ * Encrypt arbitrary bytes with a libsodium cryptobox public key.
+ *
+ * @param {string} publicKey The cryptobox X25519 public key to encrypt with (encoded in RFC 4648 standard Base64).
+ * @param {Uint8Array} message the bytes to encrypt.
+ *
+ * @returns {string} the encrypted bytes in RFC 4648 standard Base64.
+ */
+function encryptMessage(publicKey, message) {
+    const publicKeyBytes = sodium.from_base64(publicKey, sodium.base64_variants.ORIGINAL);
+    return sodium.to_base64(sodium.crypto_box_seal(message, publicKeyBytes), sodium.base64_variants.ORIGINAL);
+}
+
+const KEY_STORE = Metadata.baseUrl();
+function convert(metadata) {
+    // This looks up the method name in VerifyingKey
+    const verifyingKey = VerifyingKey[metadata.verifyingKey];
+    if (!verifyingKey) {
+        throw new Error("Invalid method name: " + metadata.verifyingKey);
+    }
+    return {
+        name: metadata.name,
+        locator: metadata.locator,
+        prover: metadata.prover,
+        verifier: metadata.verifier,
+        verifyingKey,
+    };
+}
+const CREDITS_PROGRAM_KEYS = {
+    bond_public: convert(Metadata.bond_public()),
+    bond_validator: convert(Metadata.bond_validator()),
+    claim_unbond_public: convert(Metadata.claim_unbond_public()),
+    fee_private: convert(Metadata.fee_private()),
+    fee_public: convert(Metadata.fee_public()),
+    inclusion: convert(Metadata.inclusion()),
+    join: convert(Metadata.join()),
+    set_validator_state: convert(Metadata.set_validator_state()),
+    split: convert(Metadata.split()),
+    transfer_private: convert(Metadata.transfer_private()),
+    transfer_private_to_public: convert(Metadata.transfer_private_to_public()),
+    transfer_public: convert(Metadata.transfer_public()),
+    transfer_public_as_signer: convert(Metadata.transfer_public_as_signer()),
+    transfer_public_to_private: convert(Metadata.transfer_public_to_private()),
+    unbond_public: convert(Metadata.unbond_public()),
+    getKey: function (key) {
+        if (this.hasOwnProperty(key)) {
+            return this[key];
+        }
+        else {
+            throw new Error(`Key "${key}" not found.`);
+        }
+    }
+};
+const PRIVATE_TRANSFER_TYPES = new Set([
+    "transfer_private",
+    "private",
+    "transferPrivate",
+    "transfer_private_to_public",
+    "privateToPublic",
+    "transferPrivateToPublic",
+]);
+const VALID_TRANSFER_TYPES = new Set([
+    "transfer_private",
+    "private",
+    "transferPrivate",
+    "transfer_private_to_public",
+    "privateToPublic",
+    "transferPrivateToPublic",
+    "transfer_public",
+    "transfer_public_as_signer",
+    "public",
+    "public_as_signer",
+    "transferPublic",
+    "transferPublicAsSigner",
+    "transfer_public_to_private",
+    "publicToPrivate",
+    "publicAsSigner",
+    "transferPublicToPrivate",
+]);
+const PRIVATE_TRANSFER = new Set([
+    "private",
+    "transfer_private",
+    "transferPrivate",
+]);
+const PRIVATE_TO_PUBLIC_TRANSFER = new Set([
+    "private_to_public",
+    "privateToPublic",
+    "transfer_private_to_public",
+    "transferPrivateToPublic",
+]);
+const PUBLIC_TRANSFER = new Set([
+    "public",
+    "transfer_public",
+    "transferPublic",
+]);
+const PUBLIC_TRANSFER_AS_SIGNER = new Set([
+    "public_as_signer",
+    "transfer_public_as_signer",
+    "transferPublicAsSigner",
+]);
+const PUBLIC_TO_PRIVATE_TRANSFER = new Set([
+    "public_to_private",
+    "publicToPrivate",
+    "transfer_public_to_private",
+    "transferPublicToPrivate",
+]);
+const RECORD_DOMAIN = "RecordScannerV0";
+/**
+ * Zero address on Aleo blockchain that corresponds to field element 0. Used as padding in Merkle trees and as a sentinel value.
+ */
+const ZERO_ADDRESS = "aleo1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq3ljyzc";
+const FIVE_MINUTES = 5 * 60 * 1000; // 5 minutes in milliseconds
+
 /**
  * Client library that encapsulates REST calls to publicly exposed endpoints of Aleo nodes. The methods provided in this
  * allow users to query public information from the Aleo blockchain and submit transactions to the network.
@@ -477,6 +680,8 @@ async function retryWithBackoff(fn, { maxAttempts = 5, baseDelay = 100, jitter,
  *
  * // Connection to a public beacon node
  * const account = Account.fromCiphertext(process.env.ciphertext, process.env.password);
+ * const apiKey = process.env.apiKey;
+ * const consumerId = process.env.consumerId;
  * const publicNetworkClient = new AleoNetworkClient("http://api.explorer.provable.com/v1", undefined, account);
  */
 class AleoNetworkClient {
@@ -486,18 +691,40 @@ class AleoNetworkClient {
     ctx;
     verboseErrors;
     network;
+    apiKey;
+    consumerId;
+    jwtData;
+    proverUri;
+    recordScannerUri;
     constructor(host, options) {
         this.host = host + "/mainnet";
         this.network = "mainnet";
         this.ctx = {};
         this.verboseErrors = true;
-        if (options && options.headers) {
-            this.headers = options.headers;
+        if (options) {
+            if (options.headers) {
+                this.headers = options.headers;
+            }
+            else {
+                this.headers = {
+                    // This is replaced by the actual version by a Rollup plugin
+                    "X-Aleo-SDK-Version": "0.9.15-enc",
+                    "X-Aleo-environment": environment(),
+                };
+            }
+            // If a prover uri was specified, set the prover uri.
+            if (options.proverUri) {
+                this.proverUri = options.proverUri + "/mainnet";
+            }
+            // If a record scanner uri was specified, set the record scanner uri.
+            if (options.recordScannerUri) {
+                this.recordScannerUri = options.recordScannerUri + "/mainnet";
+            }
         }
         else {
             this.headers = {
                 // This is replaced by the actual version by a Rollup plugin
-                "X-Aleo-SDK-Version": "0.9.13",
+                "X-Aleo-SDK-Version": "0.9.15-enc",
                 "X-Aleo-environment": environment(),
             };
         }
@@ -542,6 +769,40 @@ class AleoNetworkClient {
     setHost(host) {
         this.host = host + "/mainnet";
     }
+    /**
+     * Set a new uri for a remote prover.
+     *
+     * @param {string} proverUri The uri of the remote prover.
+     *
+     * @example
+     * import { AleoNetworkClient } from "@provablehq/sdk/mainnet.js";
+     *
+     * // Create a networkClient that connects to the provable explorer api.
+     * const networkClient = new AleoNetworkClient("http://api.explorer.provable.com/v1", undefined);
+     *
+     * // Set the prover uri.
+     * networkClient.setProverUri("https://prover.provable.prove");
+     */
+    setProverUri(proverUri) {
+        this.proverUri = proverUri + "/mainnet";
+    }
+    /**
+     * Set a new uri for a remote record scanner.
+     *
+     * @param {string} recordScannerUri The uri of the remote record scanner.
+     *
+     * @example
+     * import { AleoNetworkClient } from "@provablehq/sdk/mainnet.js";
+     *
+     * // Create a networkClient that connects to the provable explorer api.
+     * const networkClient = new AleoNetworkClient("http://api.explorer.provable.com/v1", undefined);
+     *
+     * // Set the record scanner uri.
+     * networkClient.setRecordScannerUri("https://scanner.provable.scan");
+     */
+    setRecordScannerUri(recordScannerUri) {
+        this.recordScannerUri = recordScannerUri + "/mainnet";
+    }
     /**
      * Set verbose errors to true or false for the `AleoNetworkClient`. When set to true, if `submitTransaction` fails, the failure responses will report descriptive information as to why the transaction failed.
      *
@@ -1342,10 +1603,9 @@ class AleoNetworkClient {
      * programImports = await networkClient.getProgramImports(double_test);
      * assert.deepStrictEqual(programImports, expectedImports);
      */
-    async getProgramImports(inputProgram) {
+    async getProgramImports(inputProgram, imports = {}) {
         try {
             this.ctx = { "X-ALEO-METHOD": "getProgramImports" };
-            const imports = {};
             // Normalize input to a Program object
             let program;
             if (inputProgram instanceof Program) {
@@ -1371,7 +1631,7 @@ class AleoNetworkClient {
                 const import_id = importList[i];
                 if (!imports.hasOwnProperty(import_id)) {
                     const programSource = await this.getProgram(import_id);
-                    const nestedImports = await this.getProgramImports(import_id);
+                    const nestedImports = await this.getProgramImports(programSource, imports);
                     for (const key in nestedImports) {
                         if (!imports.hasOwnProperty(key)) {
                             imports[key] = nestedImports[key];
@@ -1842,37 +2102,182 @@ class AleoNetworkClient {
         }
     }
     /**
-     * Submit a `ProvingRequest` to a remote proving service for delegated proving. If the broadcast flag of the `ProvingRequest` is set to `true` the remote service will attempt to broadcast the result `Transaction` on behalf of the requestor.
+     * Refreshes the JWT by making a POST request to /jwts/{consumer_id}
+     *
+     * @param {string} apiKey - The API key for authentication.
+     * @param {string} consumerId - The consumer ID associated with the API key.
+     * @returns {Promise<JwtData>} The JWT token and expiration time
+     */
+    async refreshJwt(apiKey, consumerId) {
+        if (!apiKey || !consumerId) {
+            throw new Error('API key and consumer ID are required to refresh JWT');
+        }
+        const response = await post(`https://api.provable.com/jwts/${consumerId}`, {
+            headers: {
+                'X-Provable-API-Key': apiKey
+            }
+        });
+        const authHeader = response.headers.get('authorization');
+        if (!authHeader) {
+            throw new Error('No authorization header in JWT refresh response');
+        }
+        const body = await response.json();
+        return {
+            jwt: authHeader,
+            expiration: body.exp * 1000 // Convert to milliseconds
+        };
+    }
+    /**
+     * Parses a /prove or /prove/encrypted response. Returns a result object (never throws for 200/400/500/503).
+     */
+    async handleProvingResponse(response) {
+        // Get the proving response text.
+        const text = await response.text();
+        let body;
+        // Parse the body.
+        try {
+            body = parseJSON(text);
+        }
+        catch {
+            body = {};
+        }
+        // If the status is 200, attempt to parse the Proving Request along its expected structure.
+        if (response.status === 200) {
+            if (isProvingResponse(body)) {
+                return { ok: true, data: body };
+            }
+            return {
+                ok: false,
+                status: response.status,
+                error: { message: "Invalid response from proving service" },
+            };
+        }
+        // If the response is non 200, return the information back to the caller so it can be handled.
+        if (response.status === 400 || response.status === 500 || response.status === 503) {
+            const error = isProveApiErrorBody(body)
+                ? body
+                : { message: text || `${response.status} error` };
+            return { ok: false, status: response.status, error };
+        }
+        return {
+            ok: false,
+            status: response.status,
+            error: { message: text || `${response.status} error` },
+        };
+    }
+    /**
+     * Submit a `ProvingRequest` to a remote proving service for delegated proving. If the broadcast flag of the `ProvingRequest` is set to `true` the remote service will attempt to broadcast the result `Transaction` on behalf of the requestor. Throws on HTTP 400, 500, 503 (and retries on 500/503). Callers should {@link submitProvingRequestSafe} to handle proving request failures without throwing.
      *
      * @param {DelegatedProvingParams} options - The optional parameters required to submit a proving request.
      * @returns {Promise<ProvingResponse>} The ProvingResponse containing the transaction result and the result of the broadcast if the `broadcast` flag was set to `true`.
      */
     async submitProvingRequest(options) {
-        const proverUri = options.url ?? this.host;
+        const result = await this.submitProvingRequestSafe(options);
+        if (result.ok) {
+            return result.data;
+        }
+        const err = new Error(result.error.message);
+        err.status = result.status;
+        throw err;
+    }
+    /**
+     * Submit a proving request and return a result object instead of throwing. This method is usable when callers want to handle HTTP status (400, 500, 503) yourself. Retries on 500/503 and returns on 200 or 400.
+     *
+     * @param {DelegatedProvingParams} options - The optional parameters required to submit a proving request.
+     * @returns {Promise<ProvingResult>} `{ ok: true, data }` on success (200), or `{ ok: false, status, error }` on 400/500/503. Check `result.ok` and then either `result.data` or `result.status` / `result.error.message`.
+     */
+    async submitProvingRequestSafe(options) {
+        // Attempt to get the Prover URI first from the options, then from any configured globally, or third try the main configured host.
+        const proverUri = (options.url ?? this.proverUri) ?? this.host;
         const provingRequestString = options.provingRequest instanceof ProvingRequest
             ? options.provingRequest.toString()
             : options.provingRequest;
-        // Build headers with proper auth fallback
+        // Try to get JWT data to access the Provable API.
+        const apiKey = options.apiKey ?? this.apiKey;
+        const consumerId = options.consumerId ?? this.consumerId;
+        let jwtData = options.jwtData ?? this.jwtData;
+        // Check to see if the JWT needs refreshing.
+        const isExpired = jwtData && Date.now() >= jwtData.expiration - FIVE_MINUTES;
+        if (!jwtData || isExpired) {
+            if (options.apiKey && options.consumerId) {
+                jwtData = await this.refreshJwt(apiKey, consumerId);
+                this.jwtData = jwtData;
+                options.jwtData = jwtData;
+            }
+            else {
+                console.warn('JWT or both apiKey and consumerId are required when using the Provable API');
+            }
+        }
+        // Create the necessary headers to hit the provable api.
         const headers = {
             ...this.headers,
             "X-ALEO-METHOD": "submitProvingRequest",
-            "Content-Type": "application/json"
+            "Content-Type": "application/json",
         };
-        // Add auth header based on what's available
-        if (options.apiKey) {
-            headers["X-Provable-API-Key"] = options.apiKey;
-        }
-        try {
-            const response = await retryWithBackoff(() => post(`${proverUri}/prove`, {
+        if (jwtData?.jwt) {
+            headers["Authorization"] = jwtData.jwt;
+        }
+        // Encapsulate the requests in a locally scoped function that can be run with a retry closure.
+        const runRequest = async () => {
+            // If DPS privacy is set, call invoke the encrypted flow.
+            if (options.dpsPrivacy) {
+                // Get an ephemeral public key from a DPS service.
+                const pubKeyResponse = await get(proverUri + "/pubkey", {
+                    headers,
+                });
+                // Encrypt the provingRequest.
+                const pubkey = parseJSON(await pubKeyResponse.text());
+                const ciphertext = encryptProvingRequest(pubkey.public_key, ProvingRequest.fromString(provingRequestString));
+                // Form the expected query a DPS service expects (including the key_id).
+                const payload = {
+                    key_id: pubkey.key_id,
+                    ciphertext: ciphertext,
+                };
+                const res = await fetch(`${proverUri}/prove/encrypted`, {
+                    method: "POST",
+                    body: JSON.stringify(payload),
+                    headers,
+                });
+                // Properly handle the proving response.
+                return this.handleProvingResponse(res);
+            }
+            // If encrypted usage is not specified use the unencrypted endpoint.
+            const proveEndpoint = proverUri.endsWith("/prove")
+                ? proverUri
+                : proverUri + "/prove";
+            const res = await fetch(proveEndpoint, {
+                method: "POST",
                 body: provingRequestString,
-                headers
-            }));
-            const responseText = await response.text();
-            return parseJSON(responseText);
+                headers,
+            });
+            // Properly handle the proving response.
+            return this.handleProvingResponse(res);
+        };
+        try {
+            // Run the request with retries.
+            return await retryWithBackoff(async () => {
+                // Run the encrypted or non-encrypted flow as specified by the flags.
+                const result = await runRequest();
+                if (result.ok) {
+                    return result;
+                }
+                // If 500s are hit responses are returned, attempt retries.
+                if (result.status === 500 || result.status === 503) {
+                    const err = new Error(result.error.message);
+                    err.status = result.status;
+                    throw err;
+                }
+                return result;
+            });
         }
-        catch (error) {
-            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-            throw new Error(`Failed to submit proving request: ${errorMessage}`);
+        catch (err) {
+            // If an error is returned, provide usable information to the caller.
+            const e = err;
+            return {
+                ok: false,
+                status: e.status ?? 500,
+                error: { message: e.message },
+            };
         }
     }
     /**
@@ -1957,105 +2362,6 @@ class AleoNetworkClient {
     }
 }
 
-const KEY_STORE = Metadata.baseUrl();
-function convert(metadata) {
-    // This looks up the method name in VerifyingKey
-    const verifyingKey = VerifyingKey[metadata.verifyingKey];
-    if (!verifyingKey) {
-        throw new Error("Invalid method name: " + metadata.verifyingKey);
-    }
-    return {
-        name: metadata.name,
-        locator: metadata.locator,
-        prover: metadata.prover,
-        verifier: metadata.verifier,
-        verifyingKey,
-    };
-}
-const CREDITS_PROGRAM_KEYS = {
-    bond_public: convert(Metadata.bond_public()),
-    bond_validator: convert(Metadata.bond_validator()),
-    claim_unbond_public: convert(Metadata.claim_unbond_public()),
-    fee_private: convert(Metadata.fee_private()),
-    fee_public: convert(Metadata.fee_public()),
-    inclusion: convert(Metadata.inclusion()),
-    join: convert(Metadata.join()),
-    set_validator_state: convert(Metadata.set_validator_state()),
-    split: convert(Metadata.split()),
-    transfer_private: convert(Metadata.transfer_private()),
-    transfer_private_to_public: convert(Metadata.transfer_private_to_public()),
-    transfer_public: convert(Metadata.transfer_public()),
-    transfer_public_as_signer: convert(Metadata.transfer_public_as_signer()),
-    transfer_public_to_private: convert(Metadata.transfer_public_to_private()),
-    unbond_public: convert(Metadata.unbond_public()),
-    getKey: function (key) {
-        if (this.hasOwnProperty(key)) {
-            return this[key];
-        }
-        else {
-            throw new Error(`Key "${key}" not found.`);
-        }
-    }
-};
-const PRIVATE_TRANSFER_TYPES = new Set([
-    "transfer_private",
-    "private",
-    "transferPrivate",
-    "transfer_private_to_public",
-    "privateToPublic",
-    "transferPrivateToPublic",
-]);
-const VALID_TRANSFER_TYPES = new Set([
-    "transfer_private",
-    "private",
-    "transferPrivate",
-    "transfer_private_to_public",
-    "privateToPublic",
-    "transferPrivateToPublic",
-    "transfer_public",
-    "transfer_public_as_signer",
-    "public",
-    "public_as_signer",
-    "transferPublic",
-    "transferPublicAsSigner",
-    "transfer_public_to_private",
-    "publicToPrivate",
-    "publicAsSigner",
-    "transferPublicToPrivate",
-]);
-const PRIVATE_TRANSFER = new Set([
-    "private",
-    "transfer_private",
-    "transferPrivate",
-]);
-const PRIVATE_TO_PUBLIC_TRANSFER = new Set([
-    "private_to_public",
-    "privateToPublic",
-    "transfer_private_to_public",
-    "transferPrivateToPublic",
-]);
-const PUBLIC_TRANSFER = new Set([
-    "public",
-    "transfer_public",
-    "transferPublic",
-]);
-const PUBLIC_TRANSFER_AS_SIGNER = new Set([
-    "public_as_signer",
-    "transfer_public_as_signer",
-    "transferPublicAsSigner",
-]);
-const PUBLIC_TO_PRIVATE_TRANSFER = new Set([
-    "public_to_private",
-    "publicToPrivate",
-    "transfer_public_to_private",
-    "transferPublicToPrivate",
-]);
-const RECORD_DOMAIN = "RecordScannerV0";
-/**
- * Zero address on Aleo blockchain that corresponds to field element 0. Used as padding in Merkle trees and as a sentinel value.
- */
-const ZERO_ADDRESS = "aleo1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq3ljyzc";
-
 /**
  * AleoKeyProviderParams search parameter for the AleoKeyProvider. It allows for the specification of a proverUri and
  * verifierUri to fetch keys via HTTP from a remote resource as well as a unique cacheKey to store the keys in memory.
@@ -3287,6 +3593,20 @@ class BlockHeightSearch {
     }
 }
 
+/**
+ * Error thrown when a record scanner request fails (e.g. /register, /register/encrypted).
+ * Includes HTTP status so callers can handle 422 vs 500 etc.
+ */
+class RecordScannerRequestError extends Error {
+    status;
+    constructor(message, status) {
+        super(message);
+        this.name = "RecordScannerRequestError";
+        this.status = status;
+        Object.setPrototypeOf(this, RecordScannerRequestError.prototype);
+    }
+}
+
 /**
  * RecordScanner is a RecordProvider implementation that uses the record scanner service to find records.
  *
@@ -3296,7 +3616,8 @@ class BlockHeightSearch {
  * const recordScanner = new RecordScanner({ url: "https://record-scanner.aleo.org" });
  * recordScanner.setAccount(account);
  * recordScanner.setApiKey("your-api-key");
- * const uuid = await recordScanner.register(0);
+ * const result = await recordScanner.register(viewKey, 0);
+ * if (result.ok) { const uuid = result.data.uuid; }
  *
  * const filter = {
  *     uuid,
@@ -3332,9 +3653,21 @@ class RecordScanner {
     url;
     apiKey;
     uuid;
+    consumerId;
+    jwtData;
     constructor(options) {
-        this.url = options.url;
+        // Set the network by detecting which version of the SDK is being used.
+        const network = "/mainnet";
+        // If the user has configured a network in their uri, throw
+        if (options.url.endsWith("/mainnet") || options.url.endsWith("/testnet")) {
+            throw new Error("The record scanning url should not include the specific network, this is automatically configured by the Provable SDK.");
+        }
+        // Configure the url to use the network the SDK is using.
+        this.url = options.url + network;
+        // Configure authentication options/
         this.apiKey = typeof options.apiKey === "string" ? { header: "X-Provable-API-Key", value: options.apiKey } : options.apiKey;
+        this.consumerId = options.consumerId;
+        this.jwtData = options.jwtData;
     }
     /**
      * Set the API key to use for the record scanner.
@@ -3344,6 +3677,59 @@ class RecordScanner {
     async setApiKey(apiKey) {
         this.apiKey = typeof apiKey === "string" ? { header: "X-Provable-API-Key", value: apiKey } : apiKey;
     }
+    /**
+     * Set the consumer ID used for JWT refresh when using authenticated record scanner (e.g. Provable API).
+     */
+    async setConsumerId(consumerId) {
+        this.consumerId = consumerId;
+    }
+    /**
+     * Set JWT data for authentication. Optional; when not set, JWT can be refreshed from apiKey + consumerId if provided.
+     */
+    async setJwtData(jwtData) {
+        this.jwtData = jwtData;
+    }
+    /**
+     * Refreshes the JWT by making a POST request to /jwts/{consumer_id}. Used when authentication is required.
+     */
+    async refreshJwt(apiKey, consumerId) {
+        const response = await post(`https://api.provable.com/jwts/${consumerId}`, {
+            headers: {
+                "X-Provable-API-Key": apiKey,
+            },
+        });
+        const authHeader = response.headers.get("authorization");
+        if (!authHeader) {
+            throw new Error("No authorization header in JWT refresh response");
+        }
+        const body = await response.json();
+        return {
+            jwt: authHeader,
+            expiration: body.exp * 1000, // Convert to milliseconds
+        };
+    }
+    /**
+     * Returns auth headers (e.g. Authorization with JWT). Refreshes JWT if expired and apiKey + consumerId are set. Empty when auth is not configured.
+     */
+    async getAuthHeaders() {
+        let jwtData = this.jwtData;
+        const isExpired = jwtData && Date.now() >= jwtData.expiration - FIVE_MINUTES;
+        if (!jwtData || isExpired) {
+            const apiKey = this.apiKey?.value;
+            if (apiKey && this.consumerId) {
+                jwtData = await this.refreshJwt(apiKey, this.consumerId);
+                this.jwtData = jwtData;
+            }
+            else if (jwtData?.jwt) {
+                // Use existing JWT even if expired when we can't refresh
+                return { Authorization: jwtData.jwt };
+            }
+            else {
+                return {};
+            }
+        }
+        return jwtData?.jwt ? { Authorization: jwtData.jwt } : {};
+    }
     /**
      * Set the UUID to use for the record scanner.
      *
@@ -3353,14 +3739,15 @@ class RecordScanner {
         this.uuid = uuidOrViewKey instanceof ViewKey ? this.computeUUID(uuidOrViewKey) : uuidOrViewKey;
     }
     /**
-     * Register the account with the record scanner service.
+     * Register the account with the record scanner service (unencrypted POST /register). Does not throw if a valid error response from the record scanner is received; returns a result object instead.
      *
+     * @param {ViewKey} viewKey The view key to register.
      * @param {number} startBlock The block height to start scanning from.
-     * @returns {Promise<RegistrationResponse>} The response from the record scanner service.
+     * @returns {Promise<RegisterResult>} `{ ok: true, data }` on success, or `{ ok: false, status, error }` on failure.
      */
     async register(viewKey, startBlock) {
         try {
-            let request = {
+            const request = {
                 view_key: viewKey.to_string(),
                 start: startBlock,
             };
@@ -3371,11 +3758,63 @@ class RecordScanner {
             }));
             const data = await response.json();
             this.uuid = data.uuid;
-            return data;
+            return { ok: true, data };
         }
-        catch (error) {
-            console.error(`Failed to register view key: ${error}`);
-            throw error;
+        catch (err) {
+            if (err instanceof RecordScannerRequestError) {
+                return {
+                    ok: false,
+                    status: err.status,
+                    error: { message: err.message },
+                };
+            }
+            console.error(`Failed to register view key: ${err}`);
+            throw err;
+        }
+    }
+    /**
+     * Fetches an ephemeral public key from the record scanner service for use with registerEncrypted.
+     * Follows the same pattern as the delegated proving service /pubkey endpoint.
+     *
+     * @returns {Promise<CryptoBoxPubKey>} The service's ephemeral public key and key_id.
+     */
+    async getPubkey() {
+        const response = await this.request(new Request(`${this.url}/pubkey`, { method: "GET" }));
+        return parseJSON(await response.text());
+    }
+    /**
+     * Registers the account with the record scanner service using the encrypted flow: 1. fetches an ephemeral public key from /pubkey - 2. encrypts the registration request (view key + start block) - 3. POSTs to /register/encrypted. Does not HTTP error on a proper error response from the record scanner; returns a result object instead.
+     *
+     * @param {ViewKey} viewKey The view key to register.
+     * @param {number} startBlock The block height to start scanning from.
+     * @returns {Promise<RegisterResult>} `{ ok: true, data }` on success, or `{ ok: false, status, error }` on failure.
+     */
+    async registerEncrypted(viewKey, startBlock) {
+        try {
+            const pubkey = await this.getPubkey();
+            const ciphertext = encryptRegistrationRequest(pubkey.public_key, viewKey, startBlock);
+            const payload = {
+                key_id: pubkey.key_id,
+                ciphertext,
+            };
+            const response = await this.request(new Request(`${this.url}/register/encrypted`, {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify(payload),
+            }));
+            const data = await response.json();
+            this.uuid = data.uuid;
+            return { ok: true, data };
+        }
+        catch (err) {
+            if (err instanceof RecordScannerRequestError) {
+                return {
+                    ok: false,
+                    status: err.status,
+                    error: { message: err.message },
+                };
+            }
+            throw err;
         }
     }
     /**
@@ -3568,18 +4007,24 @@ class RecordScanner {
     }
     /**
      * Wrapper function to make a request to the record scanner service and handle any errors.
+     * Optionally adds JWT Authorization header when consumerId/jwtData (or apiKey+consumerId) are configured.
      *
      * @param {Request} req The request to make.
      * @returns {Promise<Response>} The response.
      */
     async request(req) {
         try {
+            const authHeaders = await this.getAuthHeaders();
+            for (const [key, value] of Object.entries(authHeaders)) {
+                req.headers.set(key, value);
+            }
             if (this.apiKey) {
                 req.headers.set(this.apiKey.header, this.apiKey.value);
             }
             const response = await fetch(req);
             if (!response.ok) {
-                throw new Error(await response.text() ?? `Request to ${req.url} failed with status ${response.status}`);
+                const text = await response.text();
+                throw new RecordScannerRequestError(text || `Request to ${req.url} failed with status ${response.status}`, response.status);
             }
             return response;
         }
@@ -3616,6 +4061,7 @@ class RecordScanner {
  * const proof_left = sealance.getSiblingPath(tree, leftIdx, 15);
  * const proof_right = sealance.getSiblingPath(tree, rightIdx, 15);
  * const exclusion_proof = [proof_left, proof_right];
+ * const formatted_proof = sealance.formatMerkleProof(exclusion_proof);
  * ```
  */
 class SealanceMerkleTree {
@@ -3633,8 +4079,9 @@ class SealanceMerkleTree {
     *
     * @example
     * ```typescript
+    * const sealance = new SealanceMerkleTree();
     * const address = "aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px";
-    * const fieldValue = convertAddressToField(address);
+    * const fieldValue = sealance.convertAddressToField(address);
     * console.log(fieldValue); // 123456789...n
     * ```
     */
@@ -3673,8 +4120,9 @@ class SealanceMerkleTree {
     *
     * @example
     * ```typescript
+    * const sealance = new SealanceMerkleTree();
     * const leaves = ["0field", "1field", "2field", "3field"];
-    * const tree = buildTree(leaves);
+    * const tree = sealance.buildTree(leaves);
     * const root = tree[tree.length - 1]; // Get the Merkle root
     * ```
     */
@@ -3703,10 +4151,23 @@ class SealanceMerkleTree {
         }
         return tree.map(element => BigInt(element.slice(0, element.length - "field".length)));
     }
-    /** Converts an array of decimal string representations of U256 numbers to an array of BigInts.
+    /**
+    * Converts an array of decimal string representations of U256 numbers to an array of BigInts.
     *
     * @param tree - Array of decimal string representations of U256 numbers.
     * @returns Array of BigInts.
+    *
+    * @example
+    * ```typescript
+    * const treeStrings = ["0","4328470178059738374782465505490977516512210899136548187530607227309847251692","1741259420362056497457198439964202806733137875365061915996980524089960046336"];
+    * const sealance = new SealanceMerkleTree();
+    * const treeBigInts = sealance.convertTreeToBigInt(treeStrings);
+    * console.log(treeBigInts); // [
+    *   0,
+    *   4328470178059738374782465505490977516512210899136548187530607227309847251692,
+    *   1741259420362056497457198439964202806733137875365061915996980524089960046336
+    *  ]
+    * ```
     */
     convertTreeToBigInt(tree) {
         return tree.map((element) => {
@@ -3730,11 +4191,18 @@ class SealanceMerkleTree {
     * @example
     * ```typescript
     * const addresses = [
-    *   "aleo1...",
-    *   "aleo1..."
-    * ];
-    * const leaves = generateLeaves(addresses, 15);
-    * const tree = buildTree(leaves);
+ *      "aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px",
+ *      "aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t",
+ *      "aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t",
+ *    ];
+    * const sealance = new SealanceMerkleTree();
+    * const leaves = sealance.generateLeaves(addresses, 15);
+    * console.log(leaves); // [
+    *   "0field",
+    *   "1295133970529764960316948294624974168921228814652993007266766481909235735940field",
+    *   "1295133970529764960316948294624974168921228814652993007266766481909235735940field",
+    *   "3501665755452795161867664882580888971213780722176652848275908626939553697821field"
+    *  ]
     * ```
     */
     generateLeaves(addresses, maxTreeDepth = 15) {
@@ -3773,8 +4241,15 @@ class SealanceMerkleTree {
     *
     * @example
     * ```typescript
-    * const tree = buildTree(leaves);
-    * const [leftIdx, rightIdx] = getLeafIndices(tree, "aleo1...");
+    * const addresses = [
+ *      "aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px",
+ *      "aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t",
+ *      "aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t",
+ *    ];
+    * const sealance = new SealanceMerkleTree();
+    * const leaves = sealance.generateLeaves(addresses);
+    * const tree = sealance.buildTree(leaves);
+    * const [leftIdx, rightIdx] = sealance.getLeafIndices(tree, "aleo1...");
     * ```
     */
     getLeafIndices(merkleTree, address) {
@@ -3802,9 +4277,17 @@ class SealanceMerkleTree {
     *
     * @example
     * ```typescript
-    * const tree = buildTree(leaves);
-    * const proof = getSiblingPath(tree, 0, 15);
-    * // proof = { siblings: [0n, 1n, ...], leaf_index: 0 }
+    * const addresses = [
+    *    "aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px",
+    *    "aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t",
+    *    "aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t",
+    *  ];
+    * const sealance = new SealanceMerkleTree();
+    * const leaves = sealance.generateLeaves(addresses);
+    * const tree = sealance.buildTree(leaves);
+    * const [leftIdx, rightIdx] = sealance.getLeafIndices(tree, "aleo1...");
+    * const proof = sealance.getSiblingPath(tree, leftIdx, 15);
+    * // proof = { siblings: [0n, 1n, ...], leaf_index: leftIdx }
     * ```
     */
     getSiblingPath(tree, leafIndex, depth) {
@@ -3835,10 +4318,18 @@ class SealanceMerkleTree {
     *
     * @example
     * ```typescript
-    * const tree = buildTree(leaves);
-    * const proof = getSiblingPath(tree, 0, 15);
-    * const proof2 = getSiblingPath(tree, 1, 15);
-    * const formattedProof = formatMerkleProof([proof, proof2]);
+    * const addresses = [
+    *    "aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px",
+    *    "aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t",
+    *    "aleo1s3ws5tra87fjycnjrwsjcrnw2qxr8jfqqdugnf0xzqqw29q9m5pqem2u4t",
+    *  ];
+    * const sealance = new SealanceMerkleTree();
+    * const leaves = sealance.generateLeaves(addresses);
+    * const tree = sealance.buildTree(leaves);
+    * const [leftIdx, rightIdx] = sealance.getLeafIndices(tree, "aleo1...");
+    * const proof1 = getSiblingPath(tree, leftIdx, 15);
+    * const proof2 = getSiblingPath(tree, rightIdx, 15);
+    * const formattedProof = formatMerkleProof([proof1, proof2]);
     * // formattedProof = "[{ siblings: [0field, 1field, ...], leaf_index: 0u32 }, { siblings: [0field, 2field, ...], leaf_index: 1u32 }]"
     * ```
     */
@@ -4267,7 +4758,9 @@ class ProgramManager {
             throw Error("No private key provided and no private key set in the ProgramManager. Please set an account or provide a private key.");
         }
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return await this.networkClient.submitTransaction(tx);
     }
     /**
@@ -4938,7 +5431,9 @@ class ProgramManager {
             throw Error("No private key provided and no private key set in the ProgramManager. Please set an account or provide a private key.");
         }
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!options.privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return await this.networkClient.submitTransaction(tx);
     }
     /**
@@ -5110,7 +5605,9 @@ class ProgramManager {
         // Build an execution transaction and submit it to the network
         const tx = await ProgramManager$1.buildJoinTransaction(executionPrivateKey, recordOne, recordTwo, priorityFee, feeRecord, this.host, joinProvingKey, joinVerifyingKey, feeProvingKey, feeVerifyingKey, offlineQuery);
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return await this.networkClient.submitTransaction(tx);
     }
     /**
@@ -5437,7 +5934,9 @@ class ProgramManager {
             throw Error("No private key provided and no private key set in the ProgramManager. Please set an account or provide a private key.");
         }
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return await this.networkClient.submitTransaction(tx);
     }
     /**
@@ -5538,7 +6037,9 @@ class ProgramManager {
             throw Error("No private key provided and no private key set in the ProgramManager. Please set an account or provide a private key.");
         }
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!options.privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return await this.networkClient.submitTransaction(tx);
     }
     /**
@@ -5644,7 +6145,9 @@ class ProgramManager {
             throw Error("No private key provided and no private key set in the ProgramManager. Please set an account or provide a private key.");
         }
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!options.privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return await this.networkClient.submitTransaction(tx);
     }
     /**
@@ -5742,7 +6245,9 @@ class ProgramManager {
             throw Error("No private key provided and no private key set in the ProgramManager. Please set an account or provide a private key.");
         }
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!options.privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return await this.networkClient.submitTransaction(tx);
     }
     /**
@@ -5836,7 +6341,9 @@ class ProgramManager {
             throw Error("No private key provided and no private key set in the ProgramManager. Please set an account or provide a private key.");
         }
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!options.privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return await this.networkClient.submitTransaction(tx);
     }
     /**
@@ -5943,7 +6450,9 @@ class ProgramManager {
             throw Error("No private key provided and no private key set in the ProgramManager. Please set an account or provide a private key.");
         }
         // Check if the account has sufficient credits to pay for the transaction
-        await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        if (!options.privateFee) {
+            await this.checkFee(feeAddress.to_string(), tx.feeAmount());
+        }
         return this.networkClient.submitTransaction(tx);
     }
     /**
@@ -6513,5 +7022,5 @@ async function initializeWasm() {
     console.warn("initializeWasm is deprecated, you no longer need to use it");
 }
 
-export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoNetworkClient, BlockHeightSearch, CREDITS_PROGRAM_KEYS, KEY_STORE, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TO_PRIVATE_TRANSFER, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, ProgramManager, RECORD_DOMAIN, RecordScanner, SealanceMerkleTree, VALID_TRANSFER_TYPES, initializeWasm, logAndThrow };
+export { Account, AleoKeyProvider, AleoKeyProviderParams, AleoNetworkClient, BlockHeightSearch, CREDITS_PROGRAM_KEYS, KEY_STORE, NetworkRecordProvider, OfflineKeyProvider, OfflineSearchParams, PRIVATE_TO_PUBLIC_TRANSFER, PRIVATE_TRANSFER, PRIVATE_TRANSFER_TYPES, PUBLIC_TO_PRIVATE_TRANSFER, PUBLIC_TRANSFER, PUBLIC_TRANSFER_AS_SIGNER, ProgramManager, RECORD_DOMAIN, RecordScanner, SealanceMerkleTree, VALID_TRANSFER_TYPES, encryptAuthorization, encryptProvingRequest, encryptRegistrationRequest, encryptViewKey, initializeWasm, isProveApiErrorBody, isProvingResponse, logAndThrow };
 //# sourceMappingURL=browser.js.map